[00:04.180 --> 00:11.000]  And welcome back to the Career Hacking Village. We talk a lot about doing technology,
[00:11.000 --> 00:18.200]  but we never really talk about how do we present, how do we get things moving forward.
[00:18.200 --> 00:23.960]  And I'm really excited, I was really excited to see the proposal submission from my friend
[00:23.960 --> 00:30.000]  Peter Keenan to just really talk about hacking security leadership. So Peter, take it away.
[00:30.000 --> 00:34.600]  Thanks so much Kathleen, and thanks everybody for watching.
[00:35.100 --> 00:41.100]  Yeah, this is my first DEF CON presentation, so thanks for accepting it.
[00:41.840 --> 00:49.780]  All right, the obligatory who am I slide. So I have been in the information technology and
[00:49.780 --> 00:56.580]  information security space for about 30 years. You can see from these pictures there's at least
[00:56.580 --> 01:03.120]  three decades of bad haircuts there. I'm currently the chief information security officer
[01:03.120 --> 01:10.040]  for a global financial services company. You all are hackers, you can figure it out if you
[01:10.040 --> 01:16.580]  really want to, but I'm not allowed to use the name, so I'm not going to. Prior to the five and
[01:16.680 --> 01:24.460]  a half year stint I've had there, I was global head of information security governance at Citigroup,
[01:25.240 --> 01:29.120]  yeah, I owned a bunch of things like the global information security policy.
[01:29.260 --> 01:34.280]  I was a director with PricewaterhouseCoopers and their information security consulting group.
[01:34.460 --> 01:41.140]  I owned a firm that did information security consulting for about a decade, primarily to
[01:41.140 --> 01:45.540]  military and intelligence agencies, and spent a little time working in government service before
[01:45.540 --> 01:53.660]  that. Yeah, like I said, a lot of time in the space, and I have hopefully boiled down what
[01:53.660 --> 01:58.480]  I've learned in the last 30 some odd years into about 30 slides, which sounds terrible
[01:58.480 --> 02:04.780]  when I say it that way, that I'm getting like one slide a year, but sadly it's true. Yeah,
[02:04.780 --> 02:14.160]  two kids, 24 and 21, 31 years of marriage. All right, so I'm going to start with this CISO mind
[02:14.160 --> 02:20.580]  map. I think it's a great slide. I think this chart is really informative, sort of about the
[02:20.580 --> 02:28.120]  things that somebody in my position is thinking about on a daily, weekly, monthly basis. The area
[02:28.120 --> 02:36.100]  of this mind map that I'm going to focus on is selling information security. I think it's the
[02:36.100 --> 02:42.720]  area that people struggle with most as they transition their career from sole contributors
[02:42.720 --> 02:50.060]  or engineering types or very technical sort of roles to a leadership role. And it's probably
[02:50.060 --> 02:57.000]  the most important part of information security. If you boil information security down to its core
[02:57.000 --> 03:05.500]  nugget, the thing that's probably describes it best is influence without authority. And the
[03:05.500 --> 03:12.120]  ability to drive security through an organization without directly being able to control people's
[03:12.120 --> 03:18.080]  comp or control their, you know, performance reviews and all of those sorts of things
[03:18.080 --> 03:22.840]  is really the challenge that we face. I mean, some things we have direct control over, but by and
[03:22.840 --> 03:29.640]  large we don't. And we need to be able to convince people that this is the right thing to do both for
[03:29.640 --> 03:36.600]  their own personal gain, the company's gain, society's gain, all of those things. And that's
[03:36.600 --> 03:41.000]  why I think that's probably the core function that information security, probably the most
[03:41.000 --> 03:45.500]  important function within information security, because it's a force multiplier. If we can get
[03:45.500 --> 03:50.260]  the folks in the company all pulling in our direction, it multiplies our effectiveness
[03:50.260 --> 03:55.760]  dramatically. The thing I don't like about this part of it here, and, you know, maybe it's just
[03:55.760 --> 04:00.980]  me misreading it. I think the authors, like I said, did a great job. It feels like it's a lot of top
[04:00.980 --> 04:05.760]  down selling, right? And I think that that's good and it's important and it's what, you know, lets
[04:05.760 --> 04:10.660]  you keep your job as a CISO, convincing the, you know, the board and the CEO that you're doing a
[04:10.660 --> 04:16.300]  good job and security is important. You got to do that. But if you actually want to fix security
[04:16.300 --> 04:21.040]  at an organization, you've got to sell it from the bottom up because it's the people on the ground,
[04:21.040 --> 04:27.180]  the people at eye level who are actually doing the things that will make you more or less secure.
[04:27.180 --> 04:33.220]  And you've got to convince them that this is the right things to do. And these are the changes
[04:33.220 --> 04:37.940]  they need to make in their processes to be better. And you've got to provide them with ways of doing
[04:37.940 --> 04:43.560]  it that makes them more efficient, not less efficient. And, you know, it's a hard sell in a
[04:43.560 --> 04:49.740]  lot of cases with security because, you know, being frank, we're introducing overhead quite
[04:49.740 --> 04:54.220]  often to do things securely, right? I mean, the act of typing a password as opposed to just being
[04:54.220 --> 04:59.860]  on the system introduces overhead, but short-term overhead, long-term overhead, it obviously creates
[05:00.020 --> 05:05.900]  a lot of problems not having passwords. Amazon has three buckets. Yes.
[05:07.260 --> 05:15.140]  All right. So jumping ahead, the key language of business, and again, something that for me,
[05:15.140 --> 05:20.380]  I think is one of the really big differentiators between a sole contributor and a leader in the
[05:20.380 --> 05:25.940]  information security space is the language of risk. Business leaders understand it. They may
[05:25.940 --> 05:32.480]  not understand your specific technical domain, and they may not understand what a router or a
[05:32.480 --> 05:37.320]  switch is, but they understand the language of risk. And it's a language that we can meet in
[05:37.320 --> 05:41.520]  the middle with them all. We can meet in the middle with lawyers, with accountants, business
[05:41.520 --> 05:51.680]  people, the CEO, they will all get the idea of likelihood and impact. It's a problem for us in
[05:51.680 --> 05:58.260]  technical fields. In the words that I've highlighted on this page, uncertainty and
[05:58.260 --> 06:04.660]  probability, we struggle with that as a group. We do. We think about these things in absolutes
[06:04.660 --> 06:10.500]  like engineers. And I know that's a rough way of saying it, but too many times, it's really
[06:10.720 --> 06:16.800]  a struggle to drag an estimate out of somebody who's in a technical discipline. They want to
[06:16.800 --> 06:22.740]  have the right answer. With estimates, you're basically saying, I'm giving you the wrong answer,
[06:22.740 --> 06:30.660]  but I hope it's close. Somebody who's got an engineering training or a mathematical training,
[06:30.660 --> 06:36.680]  that makes the hair on the back of their neck stick up. What do you mean? I don't know the
[06:36.680 --> 06:43.600]  answer. There's no right answer. I'm just thumbing the area. I'm putting that in front of the CEO?
[06:43.600 --> 06:52.260]  Yeah, you are. That's what risk is. You take the best educated guess you can sometimes
[06:52.260 --> 06:59.760]  about the likelihood, which is a soft number, and the impact of these events occurring.
[06:59.760 --> 07:04.560]  And that's the way that you have to describe them. I often hear people say this phrase,
[07:04.560 --> 07:10.920]  and it drives me nuts, you can't predict the future. Absolutely, you can. I mean,
[07:10.920 --> 07:16.760]  with 100% certainty, no. But why else would we eat right and exercise, right? Because we don't
[07:16.760 --> 07:20.260]  think we're going to die in the next hour. We don't think we're going to die tomorrow. We don't
[07:20.260 --> 07:25.600]  think the world's going to end tomorrow. We don't think they're going to have miraculous cures for
[07:25.600 --> 07:30.900]  diabetes and obesity tomorrow, right? That's why we save money, because we think that we're going
[07:30.900 --> 07:34.500]  to live to an age where we're going to need money, right? There's a million predictions
[07:34.500 --> 07:39.440]  about the future we make every day, all of us do. And I think we just have to get comfortable
[07:39.440 --> 07:47.320]  with that. You can't predict it with 100% certainty, but that's okay. You have to be
[07:47.320 --> 07:54.640]  able to get comfortable with the uncertainty and probabilities and presenting your risks in that
[07:54.640 --> 08:02.480]  way. And it's got to be done. If you look at the way the businesses report, these things,
[08:02.480 --> 08:07.620]  they all know that they're not 100% accurate. And people yell at you when your risk is way off. But
[08:08.170 --> 08:11.620]  end of the day, you were clear. It's an estimate.
[08:13.380 --> 08:18.920]  All right. Two other things. One last thing on this one. This is one of my pet peeves about
[08:18.920 --> 08:25.480]  information security folks. When they're talking to non-security folks, lay people,
[08:25.480 --> 08:31.520]  FUD is the biggest thing that drives me nuts. And you see it, the salespeople do it, the
[08:31.520 --> 08:36.980]  engineers, when they get frustrated, they do it. They just throw out these FUD bombs of like,
[08:36.980 --> 08:42.680]  well, you never know. Could be the Russians, those Chinese. It's just,
[08:44.040 --> 08:49.560]  stop, don't do it. It may work in the short-term to win that short-term argument,
[08:49.560 --> 08:54.580]  but you will lose respect from everybody in the room. And that's one of the things that
[08:54.580 --> 09:00.080]  defines you as a leader is being able to hold and command that respect over time.
[09:01.400 --> 09:07.240]  All right. Risk strategies. These are some of the terms that you have to understand if you're
[09:07.240 --> 09:12.800]  going to communicate in risk. Risk reduction. This one's pretty straightforward, right? I have
[09:13.460 --> 09:22.080]  a thousand systems that are MS-0867 vulnerable. I patched 999 of them. Have I reduced the risk?
[09:22.080 --> 09:26.480]  Yeah, probably, right? That's risk reduction. There's still a risk out there that I missed
[09:26.480 --> 09:32.960]  one, or that the patch isn't fully effective, or somebody didn't reboot after the patch,
[09:32.960 --> 09:38.760]  or all of those things. But that's what that's about, reducing the risk associated with some
[09:38.760 --> 09:44.260]  adverse event out there. Acceptance. This is another one we struggle with
[09:44.260 --> 09:49.900]  as technology folks. There are some times the business is just going to go, yep, that's okay.
[09:49.900 --> 09:55.140]  I get it. I get it. There's a, you know, you say there's a 10% chance that this website will get
[09:55.140 --> 10:02.600]  hacked. I'm okay with it. It's only up for 30 days. I'll take that risk. And we all go,
[10:02.600 --> 10:07.140]  you know, it makes our heads explode. But absolutely, that's their call. Your job
[10:07.620 --> 10:16.880]  is to identify, as best as you can, quantify and report that risk. It's their job to say yes or no
[10:16.880 --> 10:22.520]  to that risk, right? The CEO, whoever's in charge of that business function, they get to decide that.
[10:22.520 --> 10:27.840]  And I know there's a great cartoon about their, you know, what's the magic word to get what you
[10:27.840 --> 10:32.640]  want? Risk accepted, right? And, you know, there are some people who will overuse it, but
[10:33.940 --> 10:37.440]  that's in a well-functioning organization, that's how that should work.
[10:37.560 --> 10:41.940]  Avoidance. We're going to go through some examples later, but the classic one is just
[10:41.940 --> 10:46.260]  don't be in that line of business that's going to create that risk, right? Don't launch that
[10:46.260 --> 10:54.760]  website that, you know, tweaks its nose at some hacker collective or, yeah, any of those sorts of
[10:54.760 --> 11:00.500]  things. Avoidance is pretty straightforward. And there are times when we're going to want to advise
[11:00.500 --> 11:06.540]  that. But again, business may just say, yeah, I understand. Avoidance is probably better,
[11:06.540 --> 11:10.860]  but we're not going to do it because it's too much of a gain for us in business. And I've seen a
[11:10.860 --> 11:15.620]  million cases where they were right. I counseled, don't do it. And they said, well, we're going to
[11:15.620 --> 11:21.800]  make $300 million off of that. So we're going to do it anyway. And, you know, they were right.
[11:23.080 --> 11:30.880]  Transfer, risk transfer. This is the classic cyber insurance, right? And that's, you know,
[11:30.880 --> 11:35.220]  I think there's a lot of uncertainty around cyber insurance at this point, but this is the classic
[11:35.220 --> 11:41.540]  way of dealing with risk. And I think this will get better over time. The last one is probably the
[11:41.540 --> 11:46.540]  most common in this area. And that's hope. You just hope you don't get hacked. And you see it
[11:46.540 --> 11:51.360]  over and over and over again. Every day you see, you know, tons of people putting stuff on the
[11:51.360 --> 12:00.140]  internet and, you know, just hoping that bad things don't happen. All right. So I have a cat
[12:00.140 --> 12:06.100]  and she shares this office with me. So there's nothing I can do. Yeah. There's no risk avoidance
[12:06.100 --> 12:10.540]  on that. This was her office for the last five years. And I've only been working here for the
[12:10.540 --> 12:16.880]  last couple of months. So she'll pop in and out of frame on the background. Yeah. Her name is
[12:16.880 --> 12:25.740]  Schrodinger. All right. So risk, appetite, and tolerance. These are some other terms that you're
[12:25.740 --> 12:30.120]  going to need to know to speak the language of risk. Risk appetite is the amount or the type
[12:30.120 --> 12:37.300]  of risk that your organization is willing to take. Thank you. Every organization is going to have a
[12:37.300 --> 12:45.580]  different risk tolerance level. It's very much organization specific, right? Financial services
[12:45.580 --> 12:51.020]  tend to be more risk averse. Startups or tech companies tend to be more risk favorable where
[12:51.020 --> 12:56.380]  they'll just take chances. Particularly if you're a startup, right? I mean, what have you got to lose?
[12:56.380 --> 13:01.560]  A lot less than a hundred and something year old global investment bank, right? I mean, it's just
[13:01.560 --> 13:06.720]  those are the sorts of decisions that they're going to make. Your job is to understand what
[13:06.720 --> 13:13.500]  the risk appetite of folks is. And the description below is great because this is the tricky part.
[13:13.500 --> 13:18.540]  If you could just say, what's your risk appetite? And people could say seven and you'd be seven.
[13:18.680 --> 13:24.700]  There is no numeric value like that. Everybody's going to have a different definition and you're
[13:24.700 --> 13:28.820]  going to have to speak to a lot of people and you're going to have to deal in fuzzy terms to
[13:28.820 --> 13:39.400]  get a sense for how people want to deal with this, right? Whether or not they want to be able to say,
[13:40.500 --> 13:46.280]  you know, it's a dollar value or none, right? Like, you know, CEO is going to be like, no,
[13:46.280 --> 13:50.800]  what do you mean getting hacked? You're saying you want to know how often I want to get hacked?
[13:50.800 --> 13:54.580]  The answer is never, right? I mean, like, you know, I can get hacked for free. What am I paying you
[13:54.580 --> 14:00.020]  for if we're going to get hacked, right? CFO is probably going to set aside some money for this
[14:00.020 --> 14:05.280]  and say, put aside $8 million a year. So if you can exceed that, let me know and we'll budget some
[14:05.280 --> 14:09.960]  more for next year. You know, and everybody else is going to have a different view of it. Your job
[14:09.960 --> 14:14.340]  is going to be to consolidate all of that and come up with a security controls that are appropriate
[14:14.340 --> 14:24.500]  to those risks. Yeah. Thank you. Thank you. All right. Risk impact levels. This is an interesting
[14:24.500 --> 14:31.480]  diagram and I think it's a great way, after you've had all those conversations, to communicate this
[14:31.480 --> 14:36.000]  back to the folks, right? To communicate this back to senior leadership and say, based on what I heard
[14:36.000 --> 14:41.120]  from all of you, and this is just an example from the site that's listed below, these are the sort
[14:41.120 --> 14:49.300]  of numbers or metrics I've come up with to calculate our risk levels, right? Whether something's a low
[14:49.300 --> 14:54.020]  impact, medium impact, or high impact. And get everybody to just sort of nod yes, so that there's
[14:54.020 --> 14:58.460]  at least a common understanding of the term, right? It's a lexicon that will help you build
[15:00.320 --> 15:07.700]  common understanding and get people, you know, when a bad event occurs, everybody sort of freaks
[15:07.700 --> 15:10.920]  out initially, but then you sort of can go back to this and say, listen, this is what we agreed
[15:10.920 --> 15:15.520]  to. This is in line with what we've communicated to the board, to the CEO, and it gets everybody
[15:15.520 --> 15:27.560]  back to at least level set. All right, managing cybersecurity risk and preparation. So this is
[15:27.560 --> 15:34.060]  just a framework that I like to use for how you would do all of these things, right? You've got
[15:34.060 --> 15:39.800]  to build a team, diversity on that team, so important from all aspects of it, right? The
[15:39.800 --> 15:45.840]  type of people, the type of education, the type of functions that they've served. The more viewpoints
[15:45.840 --> 15:52.220]  that you have on your team, the better you're going to be. And this is another thing that I
[15:52.220 --> 15:58.560]  see a lot of technical folks, and I've been guilty of it in my past. We hire people that look a lot
[15:58.560 --> 16:02.320]  like ourselves, right? And I don't mean that necessarily physically, but like I'm an infrastructure
[16:02.320 --> 16:08.340]  guy. That's where I come from. I love routers and switches and networks. And, you know, early on in
[16:08.340 --> 16:12.960]  my career, I thought those were the people that knew the most because they understood the things
[16:12.960 --> 16:18.660]  that I understood. And as I've grown, I think I tend to gravitate more towards people who know
[16:18.660 --> 16:25.080]  things that I don't. And I just ask them questions all day every time I meet with them. And I think
[16:25.080 --> 16:29.700]  that's made me a better leader. And I think that's probably the most important part of building a
[16:29.700 --> 16:33.060]  team when it comes to risks, because you've got to understand it from every angle if you're going
[16:33.060 --> 16:39.420]  to manage it effectively. Structure, you've got to assign formal responsibility for these things.
[16:39.420 --> 16:44.180]  I know a lot of people say risk is everybody's responsibility. Yeah, but if you say it's
[16:44.180 --> 16:48.640]  everybody's job, then it's nobody's job. It's got to be somebody's job. It's got to be somebody's
[16:48.640 --> 16:53.380]  responsibility. And you've got to give them the freedom and the ability to actually manage
[16:54.480 --> 17:02.460]  around that risk. Managing the risk. We talked about a bunch of these things already. Understanding
[17:02.460 --> 17:07.500]  your company's cyber risk profile. How likely are you to get attacked? How often? Who's going to
[17:07.500 --> 17:15.360]  come after you? What is your risk appetite? What is the impact of you getting hacked? Is it the
[17:15.360 --> 17:21.480]  type of business where Congress is coming after you? All of those things have to factor into your
[17:21.480 --> 17:28.540]  management of risk. Get as many viewpoints from the outside, law enforcement, your peers, industry
[17:28.540 --> 17:37.580]  groups as you possibly can. And then constantly updating your profile, your processes so that
[17:37.580 --> 17:41.900]  you're integrating the latest and greatest techniques for managing this stuff. The last
[17:41.900 --> 17:49.440]  part of this, probably the most important, what do you do when you're wrong? When you've calculated
[17:49.440 --> 17:56.960]  all of these things and the worst still happens, have a crisis response plan. I think during this
[17:56.960 --> 18:01.980]  year, it's like if anybody is arguing this point, you got to go, what are you thinking, right? I mean,
[18:01.980 --> 18:08.780]  we've had all of this craziness this year. I live in New York City and it's just, you know,
[18:08.780 --> 18:13.800]  I can't, you know, we were waiting for locusts, right? I mean, it just, you know, everything
[18:13.800 --> 18:23.620]  went wrong. And if you can't sell this now, you should probably think about moving jobs, right?
[18:23.620 --> 18:30.660]  This is as important as anything could be at this point, right? What do you do when you're wrong?
[18:31.640 --> 18:39.500]  All right. So I'm going to jump into a little bit of psychology. And I think this is one of the
[18:39.500 --> 18:44.840]  areas, again, that I think technology people, and I hate making generalizations, but I feel like I'm
[18:44.840 --> 18:51.920]  talking about myself here. So I've lived with this my whole life. We're not great sometimes at
[18:51.920 --> 18:57.360]  empathy and we're not great at understanding people's motivations. We know what they did.
[18:57.380 --> 19:01.800]  And maybe technically we know why they did it, but we don't know emotionally why they did it.
[19:01.800 --> 19:07.940]  And I've spent the last probably 15 years really focusing myself on trying to develop that part
[19:07.940 --> 19:13.500]  of my personality. So I could understand why people make the decisions that they do instead
[19:13.500 --> 19:18.140]  of just going, what the hell is wrong with you? What were you thinking? I'm actually trying to
[19:18.140 --> 19:22.060]  ask, hmm, that's interesting. What were you thinking instead of what the hell is wrong with
[19:22.060 --> 19:29.340]  you? What are you thinking? So this chart, I think it came from a Bill Gates presentation a while
[19:29.340 --> 19:37.460]  ago. I love it. If you ask people what they're worried about, what scares you? They'll be like
[19:37.460 --> 19:47.100]  terrorists, murderers, all these things that just are very, very, very... sharks. People are worried
[19:47.100 --> 19:53.740]  about sharks. You kidding me? Sharks? The chances of getting hit by, by getting killed by a shark,
[19:53.740 --> 20:01.740]  like, or you stand a better chance of buying two winning lottery tickets while getting hit by a
[20:01.740 --> 20:08.320]  meteor than you do of getting attacked by a shark. If you look at this chart, you can see some of the
[20:08.320 --> 20:13.440]  reasons for it, right? You know, the media tells you, you know, media doesn't report about people
[20:13.440 --> 20:18.860]  having heart attacks. They report about terrorism. Terrorism sells newspapers, right? I mean, like,
[20:19.440 --> 20:25.100]  it's such a rare event. Those aren't the things you should be worrying about. And, and in the
[20:25.100 --> 20:30.460]  information security space, there's lots of this, right? People talk about Stuxnet a lot.
[20:30.700 --> 20:35.740]  There's one Stuxnet, you know, and there's, there are APTs out there, and some of us have to deal
[20:35.740 --> 20:42.160]  with that. It's really rare. It's really rare. Chances are you're going to get owned by a
[20:42.160 --> 20:48.840]  mediocre ransomware crew. I mean, that's just, you know, probability. Overwhelmingly, that's who's
[20:48.840 --> 20:53.780]  going to own you. And we certainly had a lot of evidence of that this year. And, and I think
[20:54.840 --> 20:59.200]  there's a couple of biases at play here that I'm going to talk through in a little bit more detail.
[20:59.440 --> 21:06.120]  Public service announcement on this stuff, though, it freaks people out. When you reveal to them
[21:06.120 --> 21:13.420]  their cognitive biases, it pisses them the ass off. Like people will get really, really mad at
[21:13.420 --> 21:19.580]  you when you highlight this stuff to them. They killed Socrates for it, basically. So, you know,
[21:19.580 --> 21:24.320]  this is not new, but it's absolutely true. People do not like to deal with the fact that they have
[21:24.320 --> 21:29.540]  cognitive biases. So public service announcement, use this internally in your inside voice, don't
[21:29.540 --> 21:34.100]  necessarily communicate it to the folks in the room. I love this graphic up in the corner here,
[21:34.100 --> 21:39.260]  though. I mean, people have been talking about like, how social media is being used to change
[21:39.260 --> 21:45.700]  our politics. And this, you know, most of you are probably too young to even know what a TV guide is.
[21:45.700 --> 21:50.640]  But this TV guide from the 1980s basically had the same message about television, right? I mean,
[21:50.640 --> 21:55.360]  it's not new. This, you know, the foreign state actors are controlling the elections.
[21:56.260 --> 22:00.420]  They've been doing, you know, it's old hat. We've seen this a million times.
[22:01.880 --> 22:08.240]  All right. So if I can get my presentation to work again. All right, here we go.
[22:09.600 --> 22:14.460]  Why are people so bad at estimating risk? The optimism bias. This is the first one of the
[22:14.460 --> 22:21.460]  biases that I'm going to talk to you about. It's really funny. It's not really funny, I guess. But
[22:21.460 --> 22:26.280]  when you ask people, what are your chances of getting cancer? They'll give you a number,
[22:26.280 --> 22:30.120]  right? Estimate your percentage chances of it. And they'll say something like 10%.
[22:30.120 --> 22:37.780]  Or 60%. Because they, you know, most people have no idea. If they say 10%, the answer is 30%,
[22:37.780 --> 22:43.040]  right? It's like, it's, you know, we have so much data on this, we know how many people get cancer,
[22:43.040 --> 22:47.860]  we know what percentage, it's, you know, it's pretty, pretty solid, right? It's 30%, right?
[22:47.860 --> 22:54.260]  30% of people get cancer. And, but if people underestimate and say 10%, and then you give
[22:54.260 --> 23:00.380]  them the answer and say it's 30%, they'll go, nah, for me, it's 10%. You go, why? I just feel
[23:00.380 --> 23:06.180]  that way. But if they say it's 60%, and then they learn it's 30%, they'll be like, oh, no, yeah,
[23:06.180 --> 23:11.320]  no, I'm better than that. I'm like 20. They'll adjust dramatically, if they overestimate,
[23:11.320 --> 23:16.640]  but not if they underestimate. And I think this bias carries through in all aspects of our life,
[23:16.640 --> 23:24.160]  where nobody thinks that they are below average at anything. And this is, this is like a
[23:24.160 --> 23:29.140]  psychological fact you can prove over and over again. 90% of drivers think they're above average
[23:29.140 --> 23:34.240]  drivers, right? Which is, you know, demonstrably false, of course, but there's very few people who
[23:34.240 --> 23:40.340]  admit they are a below average driver. And anybody who spent any kind of time on New York City's
[23:40.340 --> 23:45.520]  will know that that is definitely not true, particularly among the taxi set.
[23:45.860 --> 23:53.420]  So how does this translate to information security? I've linked to a report that I did
[23:53.420 --> 23:58.640]  some work on, and I was part of the advisory team for this ESI Thought Lab piece, which was
[23:58.640 --> 24:03.500]  published about a month ago. It's a great report. I'm not just shilling it because I was involved
[24:03.500 --> 24:08.320]  with it. I actually think it's great, but you can read it and make your own determination.
[24:08.320 --> 24:16.780]  There's some great data in there about what the chances are of having a breach. And they did a lot
[24:16.780 --> 24:22.740]  of great work around looking at the, you know, the entire universe of companies and what percentage
[24:22.740 --> 24:28.640]  of them actually suffered breaches during the previous year. And if you go with the moderate
[24:28.640 --> 24:35.980]  or material level, people estimated 45% said, you know, that was our chance. And it's way higher.
[24:35.980 --> 24:40.180]  It's almost double that for a lot of industries, their chance of actually getting breached.
[24:40.260 --> 24:45.660]  So people do not believe they're going to get hacked. Even after they've been hacked, they will
[24:45.660 --> 24:49.680]  still believe their chances of getting hacked again are way lower than they actually are.
[24:49.680 --> 24:53.020]  And it's just a cognitive bias that you have to get people passed.
[24:57.060 --> 25:01.180]  Why are people so bad at estimating risk? Availability bias. This is the second one. And this
[25:01.180 --> 25:07.400]  is, you know, got a couple of my favorite examples in it. Australia's national terrorism threat level
[25:07.400 --> 25:16.620]  is probable. And if you look at the data, I think, like, two people had been killed in terrorist
[25:16.620 --> 25:21.560]  incidents in a 20-year period in Australia. It's like, I don't think you know what the word
[25:21.560 --> 25:25.560]  probable means. I mean, like, it's a terrible, these are terrible things, they're terrible tragedies,
[25:25.560 --> 25:31.700]  every one of them horrible and shouldn't happen. But that's not what the word probable means,
[25:31.700 --> 25:40.540]  and I think we struggle with these things that are emotional and impactful like that,
[25:40.540 --> 25:45.940]  and estimating them in sort of cold calculated terms so that we can get an accurate perception
[25:45.940 --> 25:51.780]  of risk. And nobody wants to say, that's ridiculous, a terrorist attack is not probable,
[25:51.780 --> 25:57.780]  right? It's just, you know, it's just, it's emotionally, it just doesn't make us feel good
[25:57.780 --> 26:01.320]  to say things like that. And there's a bunch of other examples here, right? Like the shark
[26:01.320 --> 26:11.720]  attack one is just my favorite, like 186 in 20 years, among 6 billion people. I mean, that's like,
[26:11.720 --> 26:17.160]  that's less, I don't even know how to describe that as it's so infinitesimally small, right?
[26:18.340 --> 26:22.180]  Yeah, I guess I could do the math and actually come up with a number, but it's really, really
[26:22.180 --> 26:28.480]  small. And, you know, if you look at like, there was this huge warnings about Zika, and I mean,
[26:28.480 --> 26:34.600]  it's just, it was very, very small. And I think we have to take those things into perspective.
[26:34.600 --> 26:39.000]  And this is what keeps us from getting into the FUD area when it comes to information security.
[26:39.080 --> 26:46.240]  Look at the numbers, look at the data and figure out what the real risks are and what really is
[26:46.240 --> 26:52.040]  probable and what really is likely and what really isn't. And yeah, the good news is we
[26:52.040 --> 26:55.660]  generally don't have to deal with, you know, people dying and all of that kind of thing.
[26:55.660 --> 26:59.440]  It's just like a computer getting hacked and some guy losing money or something. So it's not,
[26:59.440 --> 27:04.040]  it's not as serious and it's not as emotional, but it still is. I mean, people, people will
[27:04.040 --> 27:08.700]  generally, you know, you get hacked in a material way, people are losing their jobs, right? I mean,
[27:08.700 --> 27:13.140]  it's just, that's sort of the way that that works. And people will get emotional and defensive about
[27:13.140 --> 27:18.640]  it. Like I said, when you expose a cognitive bias, it's like, ah, makes their head explode
[27:18.640 --> 27:24.980]  and they freak out on you. All right, learn helplessness. This is the other one. Oh my god,
[27:24.980 --> 27:30.900]  I see this one so often. They're like, why are we patching? Everybody gets hacked anyway.
[27:31.060 --> 27:35.100]  What's the deal? Who cares? You know, like everybody gets hacked anyway. It's not like
[27:35.100 --> 27:40.140]  I can stop these hackers. I mean, like there's a big group of people who think the hackers are
[27:40.140 --> 27:45.140]  all powerful and they can't be stopped anyway. So why are we bothering? I mean, at least three
[27:45.140 --> 27:52.060]  times, every, every time I teach information security awareness, at least one person comes
[27:52.060 --> 27:56.140]  up to me and say, why are we bothering? Everybody's getting hacked anyway. Like I click,
[27:56.140 --> 28:00.520]  you know, you can't stop people from clicking. Why are you bothering teaching this? And
[28:02.000 --> 28:06.860]  it's just the wrong way to look at this, right? Nothing is ever perfect. Nothing in life is
[28:06.860 --> 28:13.780]  perfect. But you can make it better. And that's the message that you have to communicate to folks,
[28:13.780 --> 28:22.060]  that it's never going to be perfect, but we can get better every day. Yeah.
[28:23.920 --> 28:28.520]  I'm not sure whose quote that was at the end of this, but it's great. You can't spend your way
[28:28.520 --> 28:33.400]  out of cyber problems. It's like exercise and eating right. You just have to wake up every
[28:33.400 --> 28:40.880]  morning and do it. And that is absolutely the truth. You can't buy enough things to fix
[28:40.880 --> 28:48.500]  cybersecurity. You actually have to do the work and that's hard for people to accept. And I think,
[28:48.500 --> 28:53.760]  um, yeah, it takes a while to get people over that, but, you know, there's no,
[28:53.760 --> 28:57.340]  I'm going to patch and be done. It's you're going to patch today and you're going to patch tomorrow.
[28:57.760 --> 29:01.460]  And, you know, they're going to feel like Sisyphus pushing that rock up the hill and
[29:01.460 --> 29:05.880]  waiting for it to roll back on. But that's, that's sort of the game. Every patch Tuesday
[29:05.880 --> 29:10.600]  is the Microsoft Sisyphean rock coming to roll, roll over you down the hill.
[29:13.390 --> 29:17.710]  This is so weird. I feel like I should stop and ask for questions, but there's nobody to
[29:17.710 --> 29:24.110]  ask questions of. All right. So we're going to keep going. Um, anybody who hasn't read Cliff
[29:24.110 --> 29:29.490]  Stoll's book, The Cuckoo's Egg, please stop listening to me right now. Go buy the book and
[29:29.490 --> 29:35.590]  read it right now. This is absolutely required reading for anybody who wants to develop a career
[29:35.590 --> 29:40.890]  in information security, particularly if you want to be a leader. It's unbelievably still prescient
[29:40.890 --> 29:46.110]  about, you know, this happens in the eighties and people are using analog modems and dial-up
[29:46.110 --> 29:53.910]  terminals and TTY green screens, the kind of stuff that I grew up on. Um, but it's still really,
[29:53.910 --> 30:01.510]  really applies to today. All of the same principles apply. And he has a great quote from, from a Sam's
[30:01.510 --> 30:08.630]  conference not too long ago. Um, this was in 2017 where he's talking about, you know, how he found
[30:08.630 --> 30:13.430]  these guys in his system and he was trying to convince people they needed to do something about
[30:13.430 --> 30:18.230]  this. And he said, well, I thought all I had to do was show them the data and they'd understand,
[30:18.230 --> 30:25.010]  but it turns out I had to, I had to tell a story. And that's what people will respond to is a story.
[30:25.050 --> 30:31.430]  And, and absolutely. Um, he learns that lesson. And I think as we read the book, um, we do too.
[30:31.430 --> 30:37.930]  It's a great read. Cannot recommend it highly enough. Absolutely. Uh, you, you should, you
[30:37.930 --> 30:48.190]  should go and buy and read that book. All right. Here's some thoughts I had about selling I, uh,
[30:48.190 --> 30:57.420]  security to IT. We think, well, we're all technology folks. We've got a similar mindset,
[30:57.420 --> 31:02.760]  so this should be easy and it's not, it's not impossible, but it has its challenges,
[31:02.760 --> 31:11.440]  very different mindsets. IT people, they care about uptime costs and user experience. Um,
[31:11.440 --> 31:15.660]  they, they, that is what they get comped on, right? That's what they get paid on.
[31:15.660 --> 31:21.740]  What was the uptime? Did they deliver the features? Are the users happy? I don't want to say they
[31:21.740 --> 31:27.240]  don't care about security, but it's, it's not one of their goals, right? I mean, like they'll tell
[31:27.240 --> 31:30.840]  you it's one of their goals, but it's really not. It's, you know, it's one of the things that's
[31:30.840 --> 31:37.600]  adjacent to their goals and we have to convince them that security will help those three. And
[31:37.600 --> 31:44.240]  there's a few strategies to do that. Um, you got to get them over the hurdles of some of these
[31:44.240 --> 31:51.300]  things here. I got a firewall. I bought a firewall. I plugged it in. I'm secure, but there's an any,
[31:51.300 --> 31:56.080]  any rule at the front of it. Why would they sell me a firewall that isn't secure? Why would Cisco
[31:56.080 --> 32:02.280]  do that to me? It's like, you know, that's, that's not how firewalls work. That's not how life works,
[32:02.280 --> 32:07.660]  but, um, yeah, you have to do the work to get them through that. Um, they'll tell you about
[32:07.660 --> 32:15.500]  their audit and regulatory reports, all of these sorts of things. Um, and, and your strategy for
[32:15.500 --> 32:21.740]  selling them is going to be to show them it's going to be a story, but it's going to be a story
[32:21.740 --> 32:26.260]  with data, right? I think pen tests are a great way to do this, where you show this guy walking
[32:26.260 --> 32:30.000]  through their environment, right? And you've got to make them as close to real life as possible.
[32:30.000 --> 32:36.780]  I think there's a big part of this where you're going to need to convince them that that data is
[32:36.780 --> 32:40.320]  not manufactured and all of those sorts of things. And you're going to have to help partner with
[32:40.320 --> 32:44.520]  them, right? You, you can't throw them under the bus. You can't sell them out to audit.
[32:44.680 --> 32:50.080]  Sometimes you have to, but you generally, those, you want those to be your last resorts. You want
[32:50.080 --> 32:57.560]  to help them and enable them to make themselves more secure without affecting their uptime too
[32:57.560 --> 33:02.700]  much, without affecting their ability to deliver features and without driving their costs through
[33:02.700 --> 33:08.320]  the roof. I think this is one of the things we're really bad at security is we push that cost.
[33:08.680 --> 33:14.640]  Hey, we were cost neutral this year, but we, you know, caused IT to double their, their budgets.
[33:17.880 --> 33:23.480]  The strategies, like I said, fear, uncertainty, and doubt, awful. Don't do it. Wrap them out to
[33:23.480 --> 33:32.760]  management. Yeah. The availability bias, just put it in their face every day. That kind of works,
[33:32.760 --> 33:38.980]  believe it or not. Demonstrate their fallibility. This is one of those things that will help with
[33:38.980 --> 33:44.140]  the optimism bias. If you demonstrate clearly that they are capable of making mistakes,
[33:44.140 --> 33:49.140]  they'll be angry at first, but generally if they're professionals, they'll get over it and
[33:49.140 --> 33:57.660]  want to be better. Metrics. This is hard to argue with. Patching metrics, fantastic. Just cold,
[33:57.660 --> 34:03.740]  hard facts about patching metrics. And then a story to go with it that says, here's, you know,
[34:03.740 --> 34:10.660]  MS-867, here's MS-1710. And if you have this open, this is the horrible things that happen to you.
[34:10.660 --> 34:16.340]  And this is how many systems we have open and show the trend so that people get a story out of it.
[34:16.960 --> 34:22.560]  Pay for it. Put it in your budget. The more tools that you can get in your budget. And listen,
[34:22.560 --> 34:29.400]  right now we've got insecurity, a huge advantage, right? I think everybody, cyber is the cool thing
[34:29.400 --> 34:34.460]  at the board table. If you ask for money, it's very hard for them to say no. If IT asks for money,
[34:34.460 --> 34:40.860]  it's really easy for them to say no. So I think it's, that's one of the ways that you'll win
[34:40.860 --> 34:45.320]  people over. And of course you're going to have to have air cover from the board and senior
[34:45.320 --> 34:54.740]  management. All right. Selling security to the board. This is a challenge, right? I think it's
[34:54.740 --> 34:58.720]  not as much of a challenge now as it used to be. I think boards have really focused on this. And I
[34:58.720 --> 35:03.820]  think boards, they want to know, you know, they all know this is a risk and they want to know
[35:03.820 --> 35:08.780]  that somebody is covering them to make sure that they are doing the bare minimum, you know, not the
[35:08.780 --> 35:13.620]  bare minimum, but they're doing the things that they need to, to make the company secure from,
[35:13.620 --> 35:19.660]  from cyber attacks. Most of them don't have a technical background. Almost none of them have a
[35:19.660 --> 35:25.460]  cyber security related background. And you're going to need to figure out ways to communicate
[35:25.460 --> 35:33.380]  to them in fairly simple terms. This is the way that I do it. I've got these pretty simple four
[35:34.300 --> 35:41.340]  questions that I use and I find it really helps me get the message across in a succinct one slide
[35:41.340 --> 35:46.720]  presentation. And then I usually have some, some details behind it, but I don't want to inundate
[35:46.720 --> 35:51.460]  them with data. I know that some people's strategy is just throw everything in the deck and, you know,
[35:51.460 --> 35:55.700]  this way you're ready for any question. I think these four are the only four questions that a
[35:55.700 --> 35:59.920]  board member really cares about, but every board is going to be different. So are we compromised
[35:59.920 --> 36:04.320]  right now? Right. Everybody, this is one that scares security people. Like how would I know?
[36:04.320 --> 36:08.260]  Oh my God, they're going to, you know, you've got to give them a high, medium, and low, and
[36:08.260 --> 36:13.300]  some reasoning why you think that. How vulnerable? Again, this is even fuzzier.
[36:13.740 --> 36:19.020]  High, medium, or low? Why do you think that? Who might attack us? What would they use? And how are
[36:19.020 --> 36:25.180]  we defending against it? Just a couple of sentences. How are we going to address, you know, because
[36:25.180 --> 36:31.140]  there's so much uncertainty in this, how are we going to address that next level of threats? And
[36:31.140 --> 36:35.440]  this is early on in the presentation. I love those maps with the dragons at the end of the earth and
[36:35.440 --> 36:40.300]  falling off the end of the earth, the uncertainty bit. That's why they used to draw those, right?
[36:40.300 --> 36:44.140]  Because nobody knew what was on the other side of those maps. And that's fun, right? You know,
[36:44.140 --> 36:51.320]  the dragons at the end of the map are fun. Yeah. And then what's our plan if we do get compromised?
[36:51.320 --> 36:55.640]  Like I said, you have to have thought through this. You have to be able to communicate this.
[36:56.880 --> 37:01.320]  Some of the things that I've got at the back end of this deck are folks who didn't, right? Some
[37:01.320 --> 37:07.300]  examples of folks who struggled with that. All right. I'm going to move along a little bit here.
[37:08.360 --> 37:12.600]  Yep. Here's some other examples of things that you can communicate to the board.
[37:12.600 --> 37:17.820]  Some metrics, agree on metrics, make your metrics consistent and show a trend over time. That's what
[37:17.820 --> 37:21.280]  they're going to understand. They're not going to know what an attempted attack means, but they're
[37:21.280 --> 37:24.900]  going to want to know, am I getting more? Am I getting less? Are they getting better? Are they
[37:24.900 --> 37:29.540]  getting worse? Those are the sorts of things that a board and senior management is going to want to
[37:29.540 --> 37:40.620]  understand. I think this is another great way to report risk. How is high, medium, low risk and
[37:40.620 --> 37:45.220]  impact on our core risks? What are those core risks around cybersecurity that we face? What's
[37:45.220 --> 37:50.660]  the trend? What do you view the residual risk after the controls that you've put in place?
[37:50.660 --> 37:54.560]  It's the difference between inherent risk, which is the risk as it stands naturally,
[37:54.560 --> 38:00.360]  and residual risk, which is the risk after the controls and mitigations you put in place to deal
[38:00.360 --> 38:07.500]  with that risk. All right, so here's some case studies. Everybody probably remembers this.
[38:07.500 --> 38:14.000]  H.P. Gary, CEO of the company, got up there and said really bad things about Anonymous and how
[38:14.000 --> 38:20.660]  he was all up in their business. And this ended really, really badly for him. He taunted Anonymous
[38:20.660 --> 38:28.140]  and they went through him like a hot knife through butter. They owned him three ways from Sunday to
[38:28.140 --> 38:32.060]  wiping his personal iPad at the end of the attack. I mean, it was just
[38:33.660 --> 38:38.920]  completely unprepared for the onslaught that came his way.
[38:40.340 --> 38:49.380]  Yeah, there's a great video if you ever have a chance to Google it on YouTube. I can't remember
[38:49.380 --> 38:53.340]  the guy's name, but one of the late night comedians does about this hack on H.P. Gary,
[38:53.340 --> 39:00.960]  it's fantastic. So the other one that I'd like to talk about here in the same kind of group
[39:00.960 --> 39:07.560]  is Sony Pictures, right? And this got all wrapped into politics, but end of the day,
[39:07.560 --> 39:16.900]  they made a movie that was poking the eye of the dictator of North Korea, right? And you just go,
[39:16.900 --> 39:20.520]  you know, risk avoidance, somebody should have said, you know, you could
[39:20.520 --> 39:26.280]  just call it something else, not North Korea, and you wouldn't piss these guys off so much.
[39:26.600 --> 39:30.000]  Again, they went through these guys like a hot knife through butter, and they owned
[39:30.000 --> 39:35.000]  them three ways from Sunday, released movies, dumped all their emails. It was just horrible.
[39:35.760 --> 39:44.340]  And, you know, if you look at the common elements here, they were engaged in an activity that was
[39:44.340 --> 39:50.000]  not universally admired, right? I mean, you pissed somebody off. Management didn't understand
[39:50.000 --> 39:56.820]  how dangerous that adversary was. The information security controls were not up to the task of
[39:56.820 --> 40:03.400]  defending against somebody who, you know, is very well prepared to attack you. And the attackers have
[40:03.400 --> 40:10.260]  all the advantage in that space, right? So, you know, from then, and then, you know, obviously,
[40:10.260 --> 40:15.120]  neither of them was prepared with any kind of response once this had happened, right? None of
[40:15.120 --> 40:22.500]  them had any kind of a disaster recovery or recovery strategy at all, it seemed, to deal
[40:22.500 --> 40:26.520]  with these things, you know, they were both on pen and paper for months afterwards, supposedly.
[40:27.200 --> 40:31.200]  You know, and the responses were, you know, followed the standard script there at the bottom.
[40:33.800 --> 40:38.640]  Right, so here's our lessons, you know, from this is my view of it, don't pick fights with
[40:38.640 --> 40:42.560]  people who have nothing to lose. You know, you have everything, I mean, literally, they have
[40:42.560 --> 40:47.580]  nothing to lose, you have everything to lose. That's dumb, right? Private companies with,
[40:47.580 --> 40:51.640]  you know, profit loss calculations, if they go against people who don't,
[40:51.640 --> 40:56.480]  that's going to end badly for you, right? They got all the time and energy in the world.
[40:56.840 --> 41:00.840]  You know, if you give somebody that much leeway, they're going to get through.
[41:01.600 --> 41:07.460]  Know your enemy and yourself. No cybersecurity presentation is complete without a Sun Tzu quote.
[41:08.640 --> 41:13.580]  All right, just some questions to think about, right? There's a great statement in the Sony
[41:14.520 --> 41:19.100]  case that came out maybe a year before, it's a valid business decision to accept the risk of
[41:19.200 --> 41:24.500]  a security breach. I will not invest 10 million to avoid a possible $1 million loss. That's a
[41:24.500 --> 41:31.080]  valid statement. The problem is, he was totally wrong about the amount of loss, right? I mean,
[41:31.080 --> 41:38.480]  totally, way, hundreds of times off base on the order of magnitude there. And that was the issue.
[41:41.560 --> 41:46.500]  I want to cry and not patch it. And I think I'm wrapping up my time here. So I'm going to talk
[41:46.500 --> 41:53.080]  through these next few slides fairly quickly. And I'm happy to chat about these. Afterwards,
[41:53.080 --> 42:03.380]  I'll be on chat. So obviously, everybody knows what these were from 2017. Big Worms, MS-1710,
[42:03.380 --> 42:08.780]  spread through the networks. Want to cry was an amateur version, not patch it was like, you know,
[42:08.780 --> 42:13.780]  somebody who knew what they were doing said, hold my beer, watch this and just let loose on the
[42:13.780 --> 42:19.360]  world. I don't think it meant to spread as far as it did, but it sure did. And boy, was it a whopper.
[42:20.520 --> 42:26.480]  It taught me a few things, right? Patching is not optional, right? And I think IT will tell you,
[42:26.480 --> 42:32.780]  why would I patch? Every time I patch, I lose 2% of my systems or whatever percent of my systems.
[42:33.520 --> 42:41.000]  And here's why, right? You just got to patch everything. And it's not the same as it used
[42:41.000 --> 42:47.180]  to be where you had security through obscurity. Shodan's out there, man. And they can scan your
[42:47.180 --> 42:51.940]  whole network in seconds. And they will find every single one that you didn't patch. So
[42:51.940 --> 42:58.560]  patching 99% is marginally better than patching nothing, because they'll find that 1%. And then,
[42:59.320 --> 43:04.440]  if you got hit with not patching, it was it. They just needed to find one. And
[43:05.680 --> 43:09.700]  there's a bunch of other things here that are pretty relevant, like email, having email.
[43:09.860 --> 43:13.360]  So it's not connected to the internet, but it's got email. That's the same thing. Maybe
[43:13.360 --> 43:23.400]  it's low latency, a high latency network, but it's still on the internet. Yeah.
[43:24.020 --> 43:28.160]  Why is patching so hard? I think we covered it, right? Some other questions to think about. I
[43:28.160 --> 43:33.260]  think these are the sorts of things, to me, these questions, are what lets me get inside the head
[43:33.260 --> 43:39.000]  of the people in IT and the people in management, so that I can better understand the problems
[43:39.000 --> 43:43.160]  they're going with. And hopefully, this is a helpful exercise for you. And again, I'm willing
[43:43.160 --> 43:48.840]  to talk and chat through any of these things with anybody. But this is the sort of thinking
[43:48.840 --> 43:53.100]  that will get you to that high empathy state, so that you can relate to why they're having
[43:53.100 --> 43:58.200]  problems and maybe help design solutions, instead of just, you know, flinging vulnerabilities out,
[43:58.200 --> 44:04.560]  which is fun. Absolutely. But actually helping solve a problem will actually increase your
[44:04.560 --> 44:11.160]  company's risk tolerance. All right. Equifax. Everybody knows this one. I'm not going to spend
[44:11.380 --> 44:16.120]  a lot of time recounting what happened there. But let's just say Congress gets involved. And
[44:16.120 --> 44:21.320]  if you're a private company and Congress starts interviewing you on stage, that's about as bad as
[44:21.320 --> 44:26.580]  it gets, right? You're up there and they're going, they're wagging their finger at you. That's not a
[44:26.580 --> 44:33.760]  good thing. And sort of the same results that we were talking about before, patching 99%,
[44:33.760 --> 44:38.080]  only marginally better than patching one. You know, the CEO at one point was saying,
[44:38.080 --> 44:44.280]  it was this one guy in the test unit who didn't patch his server. And that's why all of this
[44:44.280 --> 44:49.200]  happened. And it's like, dude, you're missing the point, if you think that, right? You don't have a
[44:49.200 --> 44:55.740]  process that covers your entire organization. It's on you. Yeah. And I think he went to jail
[44:55.740 --> 44:59.760]  and a couple other people, like, because they all sold stock as soon as they heard the breach.
[44:59.760 --> 45:05.240]  That's lesson number one. If you're involved in a breach, stop selling or buying stock.
[45:05.680 --> 45:10.640]  Absolutely. Do not. Do not. Yeah. Planning for an incident. This is another one where they were
[45:10.640 --> 45:15.440]  totally unprepared, right? I mean, it was just, it was like comical to watch those couple of
[45:15.440 --> 45:25.050]  weeks afterwards. It was like, oh my God, what are they doing over there? Yeah. Some more big
[45:25.050 --> 45:30.710]  questions to think about. And the one that I like here, and I'm as guilty of it as anybody, right?
[45:30.710 --> 45:35.510]  This was victim blaming, right? Everybody was like, Equifax, you're horrible. What if somebody
[45:35.510 --> 45:39.890]  showed up at their offices with a gun and stole the files? Would we say the same thing? And I
[45:39.890 --> 45:45.850]  don't know why this is fundamentally different, but I guess it is. I don't know. But I mean,
[45:45.850 --> 45:49.570]  you wouldn't expect them to have armored personnel carriers outside their office and
[45:49.570 --> 45:54.150]  all of their staff wearing bulletproof vests so that they could fight off the guys who came
[45:54.150 --> 46:00.450]  in with a gun to steal the files. But we expect that from them in a cyber realm. And, but it's,
[46:00.450 --> 46:05.330]  you know, read the terrain. That's the way the world is, I guess, right now. But those are the
[46:05.330 --> 46:10.270]  sorts of things I think about when I read these things. All right. A couple of documents, and I'm
[46:10.270 --> 46:15.510]  going to wrap up because I'm probably going to get yelled at pretty soon. This is a great
[46:15.510 --> 46:20.430]  document on what it takes to become a leader. There's a link to it on the bottom. The Cyber
[46:20.430 --> 46:24.350]  Security Guide for Leaders in Today's Digital World from the World Economic Forum. Fantastic
[46:24.350 --> 46:31.450]  document. These 10 things, like, just absolutely nail it for what you need to do to get to a
[46:31.450 --> 46:38.090]  leadership role in cybersecurity. Best practices. These are the best practices from the ESI
[46:38.090 --> 46:44.190]  Thought Lab piece. Again, I think really nails it. A different take on it because I think it's
[46:44.190 --> 46:49.490]  from CISOs themselves, as opposed to folks on the outside. But fantastic. It really gives you
[46:49.490 --> 46:55.110]  some great examples of what you can do to improve any cybersecurity program.
[46:55.950 --> 47:02.530]  This is a method that I like. I've used it for a long time for how to build a cybersecurity
[47:02.530 --> 47:07.930]  strategy. Sort of what's the funnel look like? What goes into that process? What are the things
[47:07.930 --> 47:13.430]  that make up the levers that drive your cybersecurity strategy?
[47:15.190 --> 47:19.550]  Great. Putting it all together. These are my closing thoughts.
[47:19.770 --> 47:27.310]  Everybody talks about APTs and nation-state elite hackers. Yeah, they probably could get through
[47:27.310 --> 47:31.170]  because they have unlimited time and budget, but they probably don't care about you. That's not
[47:31.170 --> 47:36.350]  where I would spend most of my time. I mean, you got to do... but, you know, chances are
[47:36.350 --> 47:39.230]  overwhelmingly you're going to get attacked. You're going to get owned by some
[47:39.230 --> 47:46.790]  chintzy ransomware gang out of nowhere. If management makes bad decisions, there's not
[47:46.930 --> 47:52.550]  a lot you can do other than be prepared with a response plan. Your job is to tell them when
[47:52.550 --> 47:57.110]  they're making bad decisions. Even if they yell at you and say, why do you always shut down my
[47:57.110 --> 48:02.950]  plans? Because your plans always suck. No, you have to do that. You have to have the emotional
[48:02.950 --> 48:07.750]  courage to say, this plan is stupid, and I'm going to tell you this plan is stupid. I'm not
[48:07.750 --> 48:14.150]  going to stop you from doing it, but I'm going to tell you that it's stupid. Yeah. The vast majority
[48:14.150 --> 48:19.410]  of this stuff, almost all of it, like almost all of these things happen because we suck at inventory
[48:19.410 --> 48:25.710]  and patching. Just suck at it. And I think the basics, and everybody says this, and it drives me
[48:25.710 --> 48:30.610]  nuts when I hear it because it's like a platitude, but if we could patch our stuff and we knew where
[48:30.610 --> 48:38.030]  our stuff was, 99% of this stuff wouldn't happen. If we did that and put MFA on all of our logins,
[48:38.030 --> 48:41.570]  almost, it would be almost impossible. Like it would be really, this would be really, really
[48:41.570 --> 48:46.190]  hard. You know, I say that and then they'll figure out 10 ways around that stuff. But
[48:46.190 --> 48:51.190]  if we were just effective at this stuff, we would take off so much below hanging fruit.
[48:51.730 --> 48:57.590]  Yeah. And these are the five rules about how to manage cybersecurity risk. Assign responsibility,
[48:57.590 --> 49:03.290]  identify and quantify the risks, mitigation strategies, communicate. Like I said,
[49:03.290 --> 49:08.330]  tell them when they're doing something stupid and make sure you highlight the risks. And plan for
[49:08.330 --> 49:11.130]  when you fail, right? Because everybody's going to fail. You're going to be wrong. You're going to
[49:11.130 --> 49:14.710]  be wrong. They're going to be wrong. Everybody's going to be wrong sometimes. You got to have a
[49:14.710 --> 49:21.690]  plan to deal with that. And that's it for me. I'll hang around and chat and answer questions.
[49:21.690 --> 49:26.450]  Peter, thank you so much. That was absolutely wonderful. And I missed the cat. I wish the
[49:26.450 --> 49:33.390]  cat would come back more. Thank you. Thank you so much for having me. No problem. In addition to
[49:33.390 --> 49:39.210]  Peter being in the chat to talk about this topic, he's also going to be available for career
[49:39.210 --> 49:45.790]  coaching. So be sure to check out the schedule that's pinned in the Discord channel to sign up
[49:45.790 --> 49:52.250]  to be coached by Peter. Peter, it was great seeing you. I'm sorry, I have to cut off and go to the
[49:52.250 --> 49:55.350]  next one. Take care. Thank you very much. Bye-bye.
